[Freeipa-users] ipa-replica-prepare error

[Martin Kosek]

On 07/30/2015 05:28 PM, Orion Poplawski wrote:
> On 07/28/2015 11:09 PM, Jan Cholasta wrote:
>> Dne 20.7.2015 v 19:52 Orion Poplawski napsal(a):
>>> On 07/20/2015 12:57 AM, Jan Cholasta wrote:
>>>> Dne 15.7.2015 v 20:57 Orion Poplawski napsal(a):
>>>>> On 07/14/2015 11:53 PM, Jan Cholasta wrote:
>>>>>>
>>>>>>        # ipa-replica-prepare -v ipa1.nwra.com --dirsrv_pkcs12=nwra.com.p12
>>>>>> --dirsrv_pin=XXXXXX --http_pkcs12=nwra.com.p12 --http_pin=XXXXXX
>>>>>
>>>>> Directory Manager (existing master) password:
>>>>>
>>>>> (SEC_ERROR_LIBRARY_FAILURE) security library failure.
>
> I was able to debug this in gdb and tracked it down to a low entropy
> condition.  Details noted in https://fedorahosted.org/freeipa/ticket/5117.
> Looks like prng_instantiate is being called 2-3 times and there just isn't
> enough entropy:
>
>
> Breakpoint 1, prng_instantiate (rng=0x7fffe5f9d3a0 <theGlobalRng>,
>      bytes=bytes at entry=0x7fffffffc220 "\304(\336\350F8\375㨟\177\325\017+\302
> \230\"e\215\bf\201Rw;\300\260\330\366\315\342\235\034]\374J\324&\263",
> len=110) at drbg.c:160
> 160         if (len < PRNG_SEEDLEN) {
> 1: len = 110
> (gdb) c
> Continuing.
>
> Breakpoint 1, prng_instantiate (rng=rng at entry=0x7fffe5f9f620 <testContext>,
>      bytes=bytes at entry=0x2153b70
> "\216\234\r%u\"\004\371\305y\020\213#y7\024\237,\307\v9\370\356\357\225\f\227Y\374\n\205A\240;\025\002",
> len=len at entry=32) at drbg.c:160
> 160         if (len < PRNG_SEEDLEN) {
> 1: len = 32
>
> PRNG_SEEDLEN is 55 I think.
>

Thank you for the thorough investigation! I saw your ticket comment and move it 
back to Triage s othat we can keep investigating it.

We already have some code checking available entropy and/or waits for 
sufficient entropy in ipa-server-install code. Maybe we will need to do 
something also in ipa-replica-prepare, we will see. We can continue with 
discussion in the ticket directly.